--- matrixssl/src/sslDecode.c.orig	2007-08-17 14:12:23.000000000 -0400
+++ matrixssl/src/sslDecode.c	2007-08-17 15:56:46.000000000 -0400
@@ -619,6 +619,8 @@
 		First two bytes are the highest supported major and minor SSL versions
 		We support only 3.0 (support 3.1 in commercial version)
 */
+		matrixStrDebugMsg("c                      is %u\n", c);
+		matrixStrDebugMsg("end                    is %u\n", end);
 		if (end - c < 2) {
 			ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 			matrixStrDebugMsg("Invalid ssl header version length\n", NULL);
@@ -626,6 +628,7 @@
 		}
 		ssl->reqMajVer = *c; c++;
 		ssl->reqMinVer = *c; c++;
+		matrixStrDebugMsg("after version number c is %u\n", c);
 		if (ssl->reqMajVer >= SSL3_MAJ_VER) {
 			ssl->majVer = ssl->reqMajVer;
 			ssl->minVer = SSL3_MIN_VER;
@@ -651,7 +654,9 @@
 			}
 			memcpy(ssl->sec.clientRandom, c, SSL_HS_RANDOM_SIZE);
 			c += SSL_HS_RANDOM_SIZE;
+		matrixStrDebugMsg("after random block   c is %u\n", c);
 			ssl->sessionIdLen = *c; c++;
+			matrixStrDebugMsg("before session id c is %u\n", c);
 /*
 			If a session length was specified, the client is asking to
 			resume a previously established session to speed up the handshake.
@@ -685,6 +690,7 @@
 */
 				ssl->flags &= ~SSL_FLAGS_RESUMED;
 			}
+		matrixStrDebugMsg("after session id     c is %u\n", c);
 /*
 			Next is the two byte cipher suite list length, network byte order.  
 			It must not be zero, and must be a multiple of two.
@@ -696,6 +702,7 @@
 			}
 			suiteLen = *c << 8; c++;
 			suiteLen += *c; c++;
+			matrixStrDebugMsg("before cipher list   c is %u\n", c);
 			if (suiteLen == 0 || suiteLen & 1) {
 				ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 				matrixIntDebugMsg("Unable to parse cipher suite list: %d\n", 
@@ -732,6 +739,7 @@
 					}
 				}
 			}
+			matrixStrDebugMsg("after cipher suites  c is %u\n", c);
 /*
 			If we fell to the default cipher suite, we didn't have
 			any in common with the client, or the client is being bad
@@ -750,6 +758,7 @@
 			and value 0 (second byte).  There are no compression schemes defined
 			for SSLv3
 */
+			matrixStrDebugMsg("before compression header length c is %u\n", c);
 			if (end - c < 1) {
 				ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 				matrixStrDebugMsg("Invalid compression header length\n", NULL);
@@ -762,6 +771,7 @@
 				return SSL_ERROR;
 			}
 			c += extLen;
+			matrixStrDebugMsg("after comps          c is %u\n", c);
 
 			if (ssl->reqMinVer == SSL3_MIN_VER && extLen != 1) {
 				ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
@@ -773,14 +783,17 @@
 			to parse here:  Two byte length and extension info.
 			http://www.faqs.org/rfcs/rfc3546.html
 */
-			if (ssl->reqMinVer >= TLS_MIN_VER && c != end) {
+			/*if (ssl->reqMinVer >= TLS_MIN_VER && c != end) {*/
+			if (c != end) {
 				if (end - c < 2) {
 					ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 					matrixStrDebugMsg("Invalid extension header len\n", NULL);
 					return SSL_ERROR;
 				}
+			    matrixStrDebugMsg("before extLen c is %u\n", c);
 				extLen = *c << 8; c++;
 				extLen += *c; c++;
+			    matrixStrDebugMsg("before extensions c is %u\n", c);
 				if (end - c < extLen) {
 					ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 					matrixStrDebugMsg("Invalid extension header len\n", NULL);
@@ -793,6 +806,7 @@
 				just skip over all extensions, ignoring them.
 */
 				c += extLen;
+			    matrixStrDebugMsg("after extensions c is %u\n", c);
 			}
 		} else {
 /*
@@ -885,6 +899,8 @@
 		if (c != end) {
 			ssl->err = SSL_ALERT_ILLEGAL_PARAMETER;
 			matrixStrDebugMsg("Invalid final client hello length\n", NULL);
+			matrixStrDebugMsg("parsed to %u\n", c);
+			matrixStrDebugMsg("end at %u\n", end);
 			return SSL_ERROR;
 		}